Vulnerability Discovery
We are going to look at CVE-2019-2215 which is a Use after Free vulnerability in Binder IPC subsystem.
This is a very severe vulnerability because binder subsystem is reachable from Chrome sandbox and can lead to privilege escalation if chained with a renderer exploit.
Original Discovery
This bug was initially discovered by syzbot (syzkaller bot) in the month of November 2017 without a reproducer. In the month of December 2017 syzbot was able to find a reproducer. You can find the original bug report here https://groups.google.com/forum/#!msg/syzkaller-bugs/QyXdgUhAF50/eLGkcwk9AQAJ
This bug was patched in February 2018 without a CVE number. Hence, the patch was not back-ported to many already released devices like Pixel and Pixel 2.
Rediscovery
This bug was rediscovered by Maddie Stone (@maddiestone) of Project Zero based on an intelligence report from Google's Threat Analysis Group (TAG). She reported this vulnerability on 27th September 2019. You can find Maddie's report here https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
The rediscovery of this bug is very interesting, Maddie documented it with the exploitation primitive here https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
I strongly suggest you all to read the blog post, so that you know the interesting story about the rediscovery of this bug.
Patch
This bug got patched in q-goldfish-android-goldfish-4.14-dev with commit id 7a3cee43e935b9d526ad07f20bf005ba7e74d05b.
ashfaq@hacksys:~/workshop/android-4.14-dev$ cd goldfish/
ashfaq@hacksys:~/workshop/android-4.14-dev/goldfish$ git show 7a3cee43e935b9d526ad07f20bf005ba7e74d05b
commit 7a3cee43e935b9d526ad07f20bf005ba7e74d05b
Author: Martijn Coenen <maco@android.com>
Date: Fri Jan 5 11:27:07 2018 +0100
ANDROID: binder: remove waitqueue when thread exits.
commit f5cb779ba16334b45ba8946d6bfa6d9834d1527f upstream.
binder_poll() passes the thread->wait waitqueue that
can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT,
the waitqueue is freed, but it is never removed
from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup
code tries to access the waitlist, which results in
a use-after-free.
Prevent this by using POLLFREE when the thread exits.
Signed-off-by: Martijn Coenen <maco@android.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index a340766b51fe..2ef8bd29e188 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -4302,6 +4302,18 @@ static int binder_thread_release(struct binder_proc *proc,
if (t)
spin_lock(&t->lock);
}
+
+ /*
+ * If this thread used poll, make sure we remove the waitqueue
+ * from any epoll data structures holding it with POLLFREE.
+ * waitqueue_active() is safe to use here because we're holding
+ * the inner lock.
+ */
+ if ((thread->looper & BINDER_LOOPER_STATE_POLL) &&
+ waitqueue_active(&thread->wait)) {
+ wake_up_poll(&thread->wait, POLLHUP | POLLFREE);
+ }
+
binder_inner_proc_unlock(thread->proc);
if (send_reply)
Note: You won't be able to see this commit history because we did a shallow clone. However, I have a full clone of the
q-goldfish-android-goldfish-4.14-devbranch.